Date post: | 12-Nov-2014 |
Category: |
Education |
Upload: | ajin-abraham |
View: | 2,225 times |
Download: | 8 times |
EXPLOIT RESEARCHEXPLOIT DEVELOPMENT WITH
MONA
Kerala Cyber Force
www.keralacyberforce.in
Ajin Abraham
@ajinabraham
@ajinabraham
WHAT IS ?
• Mona is a plugin for Immunity Debugger or WinDBG developed by Peter of Corelan Team.
• Mona is a Python Script that will simplify the efforts of an Exploit Developer into many folds.
• As far as I think this tool is created to make Exploit Development N00bish.
• You don’t have to spend days and hours for exploit development.
• Mona will do almost everything for you.
@ajinabraham
SET OF COMMANDS SUPPORTED BY MONA
@ajinabraham
GLOBAL OPTIONS THAT YOU CAN APPLY AS FILTERS
@ajinabraham
MONA INITIAL CONFIGURATION
Download Mona, copy it to PyCommands directory of Immunity Debugger.• !mona config -set workingfolder
Ex: !mona config -set workingfolder C:\Mona\%p%p – based on process%i – based on process id
@ajinabraham
GLOBAL OPTIONS OR FILTERS• -n : Skip modules that start with a null byte.
• -o : Skip OS modules.
• -p <nr> : Stop search after <nr> pointers.
• -m : Limit by 1 or more modulesEX: !mona seh –-m “ntdll”,”xyzdll”
• -cm : Limit by a module propertyEx: !mona seh –-cm aslr=false,os=trueAvailable options are : aslr,safeseh,os,rebase,nx
• -cp : Limit by the pointer propertiesEx: !mona seh –-cp unicodeAvailable options are : unicode,ascii,asciiprint,upper,lower,uppernum,lowernum,numeric,alphanum,nonull,startswithnull,unicoderev
• -cpb : Limit by bytes in pointers (Can be used for bad character filtering)Ex: !mona seh –cpb “\x00\x0a\x0d\x20”
@ajinabraham
COMMANDS
• !mona pc <size> : Generate cyclic pattern similar to pattern_create.rb
• !mona po <4 byte pattern> : Locates the given 4byte in the cyclic pattern
• !mona findmsp : Find register overwritten with the pattern.Find register that points into a pattern.Find pointers on stack that points into a pattern.Shows all the location of the Cyclic pattern.Shows the pattern size.
@ajinabraham
COMMANDS
• !mona mod : List all the loaded modules along with there properties.
• !mona bytearray : Generate the Bytes from 0x00 to 0xFF.
• !mona bytearray –-b “<list of bytes>” : Generates Bytes from 0x00 to 0xFF excluding the list of bytes.
• This will be so handy to check for bad characters during exploit development.
• !mona jmp –-r <register> : To find out the pointers that jump to a given register.
Ex:!mona jmp –-r esp –-m “ntdll” –cm os=true –cp nonull
• !mona noaslr : Show modules that are not aslr or rebased.
• !mona nosafeseh : Show modules that are not safeseh protected.
• !mona seh : List out the pointers to PPR or Call Dword.
• !mona egg –-t <tag> : To create the egghunter code including the specified tag.
@ajinabraham
COMMANDS
• !mona rop : To generate gadgets including a running ropfunc and stackpivot.
• !mona ropfunc : To find pointers to pointers (IAT) to interesting functions that can be used in your ROP chain (API’s and the Close API’s).
• !mona stackpivot : To find out the stack pivots.
• !mona find : To find bytes in the process memory.
• !mona findwild : To find instructions in the process memory applying wildcard.
@ajinabraham
COMMANDS
• !mona header : Creates an Ruby exploit header from POC.Ex: !mona header –-f “<path>”
• !mona skeleton : Creates a Metasploit module skeleton.
• !mona suggest : Creates a Metasploit module once you control the EIP or SEH with cyclic pattern.
@ajinabraham
FIGURE OUT OTHER COMMANDS BY YOURSELF
• assemble
• dump
• stacks
• gflags
• breakpoint
• compare
• ................................... etc.
@ajinabraham
THANKS
@AJINABRAHAM
Good Read : https://www.corelan.be/index.php/2011/07/14/mona-py-the-manual/